deal with git's changes for CVE-2022-24765
Deal with git's recent changes to fix CVE-2022-24765, which prevent using git in a repository owned by someone else. That makes git config --list not list the repo's configs, only global configs. So annex.uuid and annex.version are not visible to git-annex. It displayed a message about that, which is not right for this situation. Detect the situation and display a better message, similar to the one other git commands display. Also, git-annex init when run in that situation would overwrite annex.uuid with a new one, since it couldn't see the old one. Add a check to prevent it running too in this situation. It may be that this fix has security implications, if a config set by the malicious user who owns the repo causes git or git-annex to run code. I don't think any git-annex configs get run by git-annex init. It may be that some git config of a command does get run by one of the git commands that git-annex init runs. ("git status" is the command that prompted the CVE-2022-24765, since core.fsmonitor can cause it to run a command). Since I don't know how to exploit this, I'm not treating it as a security fix for now. Note that passing --git-dir makes git bypass the security check. git-annex does pass --git-dir to most calls to git, which it does to avoid needing chdir to the directory containing a git repository when accessing a remote. So, it's possible that somewhere in git-annex it gets as far as running git with --git-dir, and git reads some configs that are unsafe (what CVE-2022-24765 is about). This seems unlikely, it would have to be part of git-annex that runs in git repositories that have no (visible) annex.uuid, and git-annex init is the only one that I can think of that then goes on to run git, as discussed earlier. But I've not fully ruled out there being others.. The git developers seem mostly worried about "git status" or a similar command implicitly run by a shell prompt, not an explicit use of git in such a repository. For example, Ævar Arnfjörð Bjarma wrote: > * There are other bits of config that also point to executable things, > e.g. core.editor, aliases etc, but nothing has been found yet that > provides the "at a distance" effect that the core.fsmonitor vector > does. > > I.e. a user is unlikely to go to /tmp/some-crap/here and run "git > commit", but they (or their shell prompt) might run "git status", and > if you have a /tmp/.git ... Sponsored-by: Jarkko Kniivilä on Patreon
This commit is contained in:
parent
7f28f41c37
commit
af0d854460
3 changed files with 40 additions and 3 deletions
|
@ -68,7 +68,7 @@ import Control.Concurrent.Async
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
checkInitializeAllowed :: Annex a -> Annex a
|
checkInitializeAllowed :: Annex a -> Annex a
|
||||||
checkInitializeAllowed a = noAnnexFileContent' >>= \case
|
checkInitializeAllowed a = guardSafeToUseRepo $ noAnnexFileContent' >>= \case
|
||||||
Nothing -> a
|
Nothing -> a
|
||||||
Just noannexmsg -> do
|
Just noannexmsg -> do
|
||||||
warning "Initialization prevented by .noannex file (remove the file to override)"
|
warning "Initialization prevented by .noannex file (remove the file to override)"
|
||||||
|
@ -216,7 +216,7 @@ objectDirNotPresent :: Annex Bool
|
||||||
objectDirNotPresent = do
|
objectDirNotPresent = do
|
||||||
d <- fromRawFilePath <$> fromRepo gitAnnexObjectDir
|
d <- fromRawFilePath <$> fromRepo gitAnnexObjectDir
|
||||||
exists <- liftIO $ doesDirectoryExist d
|
exists <- liftIO $ doesDirectoryExist d
|
||||||
when exists $
|
when exists $ guardSafeToUseRepo $
|
||||||
giveup $ unwords $
|
giveup $ unwords $
|
||||||
[ "This repository is not initialized for use"
|
[ "This repository is not initialized for use"
|
||||||
, "by git-annex, but " ++ d ++ " exists,"
|
, "by git-annex, but " ++ d ++ " exists,"
|
||||||
|
@ -228,6 +228,21 @@ objectDirNotPresent = do
|
||||||
]
|
]
|
||||||
return (not exists)
|
return (not exists)
|
||||||
|
|
||||||
|
guardSafeToUseRepo :: Annex a -> Annex a
|
||||||
|
guardSafeToUseRepo a = do
|
||||||
|
repopath <- fromRepo Git.repoPath
|
||||||
|
ifM (inRepo Git.Config.checkRepoConfigInaccessible)
|
||||||
|
( giveup $ unlines $
|
||||||
|
[ "Git refuses to operate in this repository,"
|
||||||
|
, "probably because it is owned by someone else."
|
||||||
|
, ""
|
||||||
|
-- This mirrors git's wording.
|
||||||
|
, "To add an exception for this directory, call:"
|
||||||
|
, "\tgit config --global --add safe.directory " ++ fromRawFilePath repopath
|
||||||
|
]
|
||||||
|
, a
|
||||||
|
)
|
||||||
|
|
||||||
{- Initialize if it can do so automatically. Avoids failing if it cannot.
|
{- Initialize if it can do so automatically. Avoids failing if it cannot.
|
||||||
-
|
-
|
||||||
- Checks repository version and handles upgrades too.
|
- Checks repository version and handles upgrades too.
|
||||||
|
|
|
@ -14,6 +14,11 @@ git-annex (10.20220505) UNRELEASED; urgency=medium
|
||||||
pass at the end.
|
pass at the end.
|
||||||
* fsck: Fix situations where the annex object file is stored in a
|
* fsck: Fix situations where the annex object file is stored in a
|
||||||
directory structure other than where annex symlinks point to.
|
directory structure other than where annex symlinks point to.
|
||||||
|
* Deal with git's recent changes to fix CVE-2022-24765, which prevent
|
||||||
|
using git in a repository owned by someone else.
|
||||||
|
* Improve an error message displayed in that situation.
|
||||||
|
* Prevent git-annex init incorrectly reinitializing the repository in
|
||||||
|
that situation.
|
||||||
|
|
||||||
-- Joey Hess <id@joeyh.name> Thu, 05 May 2022 15:08:07 -0400
|
-- Joey Hess <id@joeyh.name> Thu, 05 May 2022 15:08:07 -0400
|
||||||
|
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
{- git repository configuration handling
|
{- git repository configuration handling
|
||||||
-
|
-
|
||||||
- Copyright 2010-2020 Joey Hess <id@joeyh.name>
|
- Copyright 2010-2022 Joey Hess <id@joeyh.name>
|
||||||
-
|
-
|
||||||
- Licensed under the GNU AGPL version 3 or higher.
|
- Licensed under the GNU AGPL version 3 or higher.
|
||||||
-}
|
-}
|
||||||
|
@ -22,6 +22,7 @@ import Git.Types
|
||||||
import qualified Git.Command
|
import qualified Git.Command
|
||||||
import qualified Git.Construct
|
import qualified Git.Construct
|
||||||
import Utility.UserInfo
|
import Utility.UserInfo
|
||||||
|
import Utility.Process.Transcript
|
||||||
|
|
||||||
{- Returns a single git config setting, or a fallback value if not set. -}
|
{- Returns a single git config setting, or a fallback value if not set. -}
|
||||||
get :: ConfigKey -> ConfigValue -> Repo -> ConfigValue
|
get :: ConfigKey -> ConfigValue -> Repo -> ConfigValue
|
||||||
|
@ -273,3 +274,19 @@ unset ck@(ConfigKey k) r = ifM (Git.Command.runBool ps r)
|
||||||
)
|
)
|
||||||
where
|
where
|
||||||
ps = [Param "config", Param "--unset-all", Param (decodeBS k)]
|
ps = [Param "config", Param "--unset-all", Param (decodeBS k)]
|
||||||
|
|
||||||
|
{- git "fixed" CVE-2022-24765 by preventing git-config from
|
||||||
|
- listing per-repo configs when the repo is not owned by
|
||||||
|
- the current user. Detect if this fix is in effect for the
|
||||||
|
- repo.
|
||||||
|
-}
|
||||||
|
checkRepoConfigInaccessible :: Repo -> IO Bool
|
||||||
|
checkRepoConfigInaccessible r = do
|
||||||
|
-- Cannot use gitCommandLine here because specifying --git-dir
|
||||||
|
-- will bypass the git security check.
|
||||||
|
let p = (proc "git" ["config", "--local", "--list"])
|
||||||
|
{ cwd = Just (fromRawFilePath (repoPath r))
|
||||||
|
, env = gitEnv r
|
||||||
|
}
|
||||||
|
(_out, ok) <- processTranscript' p Nothing
|
||||||
|
return (not ok)
|
||||||
|
|
Loading…
Reference in a new issue